Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependence on presence of MEI device #8

Open
paulmenzel opened this issue May 15, 2017 · 5 comments
Open

Dependence on presence of MEI device #8

paulmenzel opened this issue May 15, 2017 · 5 comments

Comments

@paulmenzel
Copy link

It’d be great to get confirmation that the idea of the check program is correct as it claims to know if the AMT is disabled. From #[email protected].

09:47 < nico_h> but generally, pretending that there is no issue if the MEI is missing, seems a bad idea
09:48 < nico_h> somebody should tell him
09:48 * nico_h doesn't have a github account
09:50 < PaulePanter> nico_h: Does https://github.com/mjg59/mei-amt-check/blob/master/mei-amt-check.c only check for the MEI presence?
09:51 < nico_h> no, but there's a message in the code "Unable to find a Management Engine interface - run sudo modprobe mei_me and retry.\nIf you receive the same error, this system does not have AMT\n"
09:53 < nico_h> I don't know for sure if the idea is wrong. but I would be careful with such statements. also the mei_me module could just miss a PCI ID...
@mjg59
Copy link
Owner

mjg59 commented May 15, 2017

I'd be pretty surprised if mei_me is missing any PCI IDs for any vulnerable hardware. What kind of clarification would be helpful here?

@mpe
Copy link

mpe commented May 16, 2017

The MEI driver could be disabled completely, though presumably no distros do that.

To be completely thorough it should grovel through lspci looking for any known MEI devices.

@swapdisk
Copy link

swapdisk commented Dec 6, 2017

Interesting results for Dell servers. For example, on PowerEdge R930, the MEI device is seen in lspci...

# lspci | egrep '(MEI|HECI)'
00:16.0 Communication controller: Intel Corporation C600/X79 series chipset MEI Controller #1 (rev 05)
00:16.1 Communication controller: Intel Corporation C600/X79 series chipset MEI Controller #2 (rev 05)

But the mei-amt-check output in question is output...

# ./mei-amt-check
Unable to find a Management Engine interface - run sudo modprobe mei_me and retry.
If you receive the same error, this system does not have AMT

Doing modprobe mei_me, we see the driver is unable to interface with the device...

# rmmod mei_me
# modprobe mei_me
# dmesg | tail
...
[74361.972046] mei_me 0000:00:16.0: Device doesn't have valid ME Interface

According to my Dell rep, while AMT is technically enabled in their servers (and can't be disabled by any BIOS setting), access from host OS or network interface is not possible...

Intel ME is enabled for basic silicon enabling (ie; embedded within the server). With that said, Dell PE servers do not enable any external communication interfaces (out of band network access or in-band driver based access to ME from OS) within our designs. The vulnerability from Intel that applies to any server CPU (ie, Skylake) is limited to "physical access only" and quite remote. This is unlike the client processors whereby ME has a much broader role in OOB manageability. The Dell PowerEdge servers achieve all of the manageability functions via iDRAC and not ME. ME’s role is limited to be conduit for some basic thermal /power info and only to iDRAC.

Just posting all this for folks awareness; not expecting a solution.

@disjustin
Copy link

@swapdisk This issue is still current on multiple of my SuperMicro Intel systems.

[root@localhost mei-amt-check]# lspci | grep MEI
00:16.0 Communication controller: Intel Corporation 100 Series/C230 Series Chipset Family MEI Controller #1 (rev 31)
00:16.1 Communication controller: Intel Corporation 100 Series/C230 Series Chipset Family MEI Controller #2 (rev 31)
[root@localhost mei-amt-check]# rmmod mei_me
[root@localhost mei-amt-check]# modprobe mei_me
[root@localhost mei-amt-check]# dmesg | tail
[95796.535490] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
[95796.535491] mei_me 0000:00:16.1: Device doesn't have valid ME Interface

00:16.0 Communication controller: Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #1 (rev 04)
00:16.1 Communication controller: Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #2 (rev 04)
[15952.770601] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
[15983.730694] mei_me 0000:00:16.0: Device doesn't have valid ME Interface

@umlaeute
Copy link

umlaeute commented Apr 26, 2023
edited
Loading

just to chime in with my new SuperMicro X12DPi-N6 board:

root@localhost:~# lspci | egrep '(MEI|HECI)'
00:16.0 Communication controller: Intel Corporation C620 Series Chipset Family MEI Controller #1 (rev 0a)
00:16.1 Communication controller: Intel Corporation C620 Series Chipset Family MEI Controller #2 (rev 0a)
00:16.4 Communication controller: Intel Corporation C620 Series Chipset Family MEI Controller #3 (rev 0a)
root@localhost:~# dmesg | grep -i mei
[   23.523573] mei_me 0000:00:16.0: Device doesn't have valid ME Interface
root@localhost:~#

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mpe @umlaeute @mjg59 @swapdisk @paulmenzel @disjustin